[Bro] Attach Barnyard2 to Bro2

Siwek, Jonathan Luke jsiwek at illinois.edu
Wed Jan 22 09:56:36 PST 2014


On Jan 21, 2014, at 3:11 PM, Jeremy Cox <jeremy.cox at washk12.org> wrote:

> I am attempting to use Barnyard2 to feed events from Suricata to Bro2.  It looks like Barnyard2 wants to access Bro on 47757/tcp.  Bro is not currently listening to that port.

> Should bro be listening to 47757/tcp?

Only if you’re running a command-line bro.  47757/tcp is the default listen port for running bro command-line style.

> And Im not sure how to get it listening, or if thats just the old port it used to listen to.  I attempted to have barnyard connect to 47760 in standalone mode

47760/tcp is the default listen port of the bro instance of BroControl’s standalone node.

> and 47761 or 47762 or 47763 in clustered mode.

47761/tcp is the listen port of the bro manager node when using BroControl to manage a closer.  It probably makes most sense to configure Barnyard2 to connect to this port if you’re running a Bro cluster.

> In all instances Barnyard seems to connect to Bro, and then unexpectedly crashes.  Am I missing something?

What versions of Bro and Barnyard2 are you using (and any particular configure flags for Barnyard2, like —enable-ipv6) ?  IIRC I think you will need at least Bro 2.1 and Barnyard 2.1.10.

I was able to get something simple working w/ latest Bro and Barnyard git master branches.  The only extra thing to do in Bro that’s not obvious is make sure the manager node has code to accept Barnyard alerts (putting it in site/local.bro is the simple way):

   @load policy/integration/barnyard2
   redef Communication::nodes += {
       ["local"] = [$host=127.0.0.1, $class="barnyard", $events=/Barnyard2::barnyard_alert/, $connect = F]
   };

Another limitation of the Barnaryd2 Bro output plugin is that if it tries to send events regarding non-TCP/UDP/ICMP ports, it may crash.  See [1] for a potential patch for that, which doesn't seem to have been reviewed or merged in to Barnyard2 yet.

- Jon

[1] http://mailman.icsi.berkeley.edu/pipermail/bro-dev/2013-January/005607.html



More information about the Bro mailing list